Engineering Authority and Trust in Cyberspace: The OM-AM and RBAC Way Prof. Ravi Sandhu George Mason University
2 © Ravi Sandhu 2000 AUTHORIZATION, TRUST AND RISK u Information security is fundamentally about managing l authorization and l trust so as to manage risk
3 © Ravi Sandhu 2000 THE OM-AM WAY Objectives Model Architecture Mechanism What? How? AssuranceAssurance
4 © Ravi Sandhu 2000 LAYERS AND LAYERS u Multics rings u Layered abstractions u Waterfall model u Network protocol stacks u Napolean layers u RoFi layers u OM-AM u etcetera
5 © Ravi Sandhu 2000 OM-AM AND MANDATORY ACCESS CONTROL (MAC) What? How? No information leakage Lattices (Bell-LaPadula) Security kernel Security labels AssuranceAssurance
6 © Ravi Sandhu 2000 OM-AM AND DISCRETIONARY ACCESS CONTROL (DAC) What? How? Owner-based discretion numerous ACLs, Capabilities, etc AssuranceAssurance
7 © Ravi Sandhu 2000 OM-AM AND ROLE-BASED ACCESS CONTROL (RBAC) What? How? Objective neutral RBAC96, ARBAC97, etc. user-pull, server-pull, etc. certificates, tickets, PACs, etc. AssuranceAssurance
8 © Ravi Sandhu 2000 DISTRIBUTED RBAC (DRBAC) CASE STUDY u Approximately a dozen physical sites u Approximately 2-3 simulation models/site u Fewer than 100 roles structured in a very shallow hierarchy l A subset of roles is used in any single simulation model u Fewer than 100 users u A user uses only one role at a time l Convenient but not critical u Moderate rate of change
9 © Ravi Sandhu 2000 DISTRIBUTED RBAC (DRBAC) CASE STUDY u Permission-role assignment l Locally determined at each simulation model u User-role assignment l A user can be assigned to a role if and only if all simulation models using that role agree l A user is revoked from a role if and only if any simulation model using that role revokes the user
10 © Ravi Sandhu 2000 DISTRIBUTED RBAC (DRBAC) CASE STUDY u Each simulation model has a security administrator role authorized to carry out these administrative tasks u A simulation model can assign permissions to a role X at any time l even if X is previously unused in that simulation model u Consequently any simulation model can revoke any user from any role!
11 © Ravi Sandhu 2000 RBAC3 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE HIERARCHIES CONSTRAINTS
12 © Ravi Sandhu 2000 MODEL CUSTOMIZATION u Each session has a single role u SM = {sm1, …, smk}, simulation models u OP = {op1, …, opl}, operations u P= SM X OP, permissions u SMA = {sma1, …, smk}, administrative roles R SMA = u Admin: SM SMA
13 © Ravi Sandhu 2000 MODEL CUSTOMIZATION u Can formalize the administrative rules given earlier u For each simulation model designate a unique user to be the chief security administrator who is authorized to assign and revoke users from the security administrator role for that model
14 © Ravi Sandhu 2000 DRBAC ARCHITECTURES u Permission-role l Enforced locally at each simulation model u Permission-role administration l Enforced locally at each simulation model l May need to communicate to other simulation models u User-role l See following slides u User-role administration l Centralized or decentralized
15 © Ravi Sandhu 2000 SERVER MIRROR ClientServer User-role Authorization Server
16 © Ravi Sandhu 2000 SERVER-PULL ClientServer User-role Authorization Server
17 © Ravi Sandhu 2000 USER-PULL ClientServer User-role Authorization Server
18 © Ravi Sandhu 2000 PROXY-BASED ClientServer Proxy Server User-role Authorization Server
19 © Ravi Sandhu 2000 THE OM-AM WAY Objectives Model Architecture Mechanism What? How? AssuranceAssurance